An outsourcing register or vendor repository is a structured overview of all outsourcing arrangements of a financial institution. It ensures transparency towards supervisory authorities and auditors and provides a reliable basis for identifying and managing concentration risks, including at EU level.

The information register is a DORA-mandated register that contains detailed information on ICT services, ICT third-party providers, and critical functions across 15 tables. It allows supervisory authorities to gain a quick, consistent overview of an institution's ICT landscape, as well as concentration risks and dependencies at the EU level.

Leno generates outsourcing and information registers automatically based on a central, integrated data source. Information on outsourcing, ICT services, third parties, risks, and contracts is recorded once in a structured manner and then transferred in real time to the respective registers. Changes—such as updates to service providers, services, risk classifications, or approvals—are immediately applied and are visible in the outsourcing and information registers without manual maintenance.

‍

Leno provides the register at any time in an audit-proof, consistent, and traceable manner as of a given date. Data states, changes, and histories can be made available at the push of a button - without manual preparation.

Under DORA, financial institutions are required to maintain an information register as soon as they enter into contractual arrangements for the use of ICT services with third-party providers. This register must be kept up to date on an ongoing basis and submitted to the competent supervisory authorities at least once a year or made available upon request.

‍

The information register must include detailed information on ICT service providers and their respective contracts, including service identification, contract details, supported functions, classification as critical or non-critical, information on risks, and any subcontractors.

The DORA information register goes beyond traditional outsourcing registers, as it must additionally include structured data on ICT services, third parties, and critical functions—often in predefined tables (15-table model)—and is specifically designed for use by supervisory authorities and ESAs.

Yes. Financial institutions must provide the register in full to the competent supervisory authority upon request and, in many jurisdictions, submit it annually. This includes information on new contracts, categories of service providers, and the type of ICT services provided.

The register serves internal ICT risk management but is also used externally by supervisory authorities to monitor systemic risks and support the identification of critical ICT third-party providers at the EU level.

‍

This depends on the criticality of the supported function. If an ICT service does not support a critical or important function of the financial institution, generally only the ICT third-party provider in a direct contractual relationship with the financial institution (Tier 1) needs to be recorded. Subcontractors at downstream levels do not need to be listed in this case.

‍

Yes, intra-group ICT services must also be recorded in the information register. DORA generally does not distinguish between external and intra-group ICT providers. What matters is that an ICT service is provided to a financial institution and may impact its ICT resilience. An exception exists for the use of intra-group ICT providers, where additional information may be required, particularly to map ICT service chains. The relevant requirements are outlined in Commission Implementing Regulation (EU) 2024/2956, Annex I, Part 2, including the specifications for completing Template B_05.02.